[…] Mandiant has watched the group as it has stolen technology blueprints, manufacturing processes, clinical trial results, pricing documents, negotiation strategies and other proprietary information from more than 100 of its clients, mostly in the United States. Mandiant identified attacks on 20 industries, from military contractors to chemical plants, mining companies and satellite and telecommunications corporations.

[…] What most worries American investigators is that the latest set of attacks believed coming from Unit 61398 focus not just on stealing information, but obtaining the ability to manipulate American critical infrastructure: the power grids and other utilities.

[…] A few years ago, [U.S.] administration officials say, the theft of intellectual property was an annoyance, resulting in the loss of billions of dollars of revenue. But clearly something has changed. The mounting evidence of state sponsorship, the increasing boldness of Unit 61398, and the growing threat to American infrastructure are leading officials to conclude that a far stronger response is necessary.

“Right now there is no incentive for the Chinese to stop doing this,” said Mr. Rogers, the House intelligence chairman. “If we don’t create a high price, it’s only going to keep accelerating.”

The Mandiant report provides details of three “personas” believed to be part of APT1, “in an effort to underscore there are actual individuals behind the keyboard.” (See also Bloomberg Businessweek’s recent ‘A Chinese Hacker’s Identity Unmasked’, via CDT, on an alleged hacker identified as a teacher at a P.L.A. university.) The most dramatic of the released materials is a narrated video purportedly showing one of these hackers at work:

Large propaganda posters are pinned to walls around the base between Shanghai’s Datong and Tonggang roads. “Everyone has the duty to defend our country and our home!” reads one poster, featuring a group of young soldiers crawling through mud.

Another poster shows a line of PLA tanks and four fighter jets and is emblazoned with the slogan: “Security and peace protects hundreds of thousands of households!”

Opposite the building identified by Mandiant is a street of hardware shops and a salon carrying a bright pink sign with the name: “Slender Beauty.”

[…] On Tuesday afternoon, a woman who identified herself as a member of ‘Unit 61398’ but refused to produce any identification reprimanded the Daily Telegraph for taking notes on a nearby street corner.

The decision to publish a significant part of our intelligence about Unit 61398 was a painstaking one. What started as a “what if” discussion about our traditional non-disclosure policy quickly turned into the realization that the positive impact resulting from our decision to expose APT1 outweighed the risk to our ability to collect intelligence on this particular APT group. It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively. The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns. We hope that this report will lead to increased understanding and coordinated action in countering APT network breaches.

At the same time, there are downsides to publishing all of this information publicly. Many of the techniques and technologies described in this report are vastly more effective when attackers are not aware of them. Additionally, publishing certain kinds of indicators dramatically shortens their lifespan. When Unit 61398 changes their techniques after reading this report, they will undoubtedly force us to work harder to continue tracking them with such accuracy. It is our sincere hope, however, that this report can temporarily increase the costs of Unit 61398’s operations and impede their progress in a meaningful way.

We are acutely aware of the risk this report poses for us. We expect reprisals from China as well as an onslaught of criticism.

In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage. I know that they do – especially when an executive that we worked with traveled to Beijing to meet with government officials with a clean laptop and came back with one that had been breached while he was asleep in his hotel room.

My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges – that there are multiple states engaging in this activity; not just China. And that if you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding. Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.

“Hacking attacks are transnational and anonymous. Determining their origins are extremely difficult. We don’t know how the evidence in this so-called report can be tenable,” spokesman Hong Lei told a daily news briefing.

“Arbitrary criticism based on rudimentary data is irresponsible, unprofessional and not helpful in resolving the issue.”

Hong cited a Chinese study which pointed to the United States as being behind hacking in China.

“Of the above mentioned Internet hacking attacks, attacks originating from the United States rank first.”